Spotlight on Surveillance

March 2007:Federal REAL ID Proposal Threatens Privacy and Security

EPIC’s “Spotlight on Surveillance”
project scrutinizes federal government programs that affect individual
privacy. For more information, see previous
Spotlights on Surveillance.
This month, Spotlight scrutinizes the proposed regulations for the national
identification scheme created under the REAL ID Act.[1] More
than two years after Congress rushed through passage of the REAL ID Act,
the Department of Homeland Security (“DHS”) announced on March 1 proposed
regulations that would turn the state driver’s license into a national
identity card.[2] The estimated
cost of the plan could be as high as $23.1 billion, according to the federal
government.[3]

THE DHS REGULATIONS FOR
REAL ID

The Department of Homeland
Security regulations for Real ID would (1) impose more difficult standards
for acceptable identification documents that could limit the ability of
individuals to get a state drivers license; (2) compel data verification
procedures that the federal government itself is not capable of following;
(3) mandate minimum data elements required on the face of and in the machine
readable zone of the card; (4) require changes to the design of licenses
and identification cards (5) expand schedules and procedures for retention
and distribution of identification documents and other personal data; and
(6)
dictate state collection of personal data and documents without setting adequate
security standards for the card, state motor vehicle facilities, or state motor
vehicle databases.

Congress is debating legislation to repeal the REAL ID Act in the House and Senate. Maine and Idaho have passed legislation refusing to implement REAL ID. Below is a list of states where anti-REAL ID legislation is pending.

Arizona

Arkansas

Georgia

Hawaii

Illinois

Kentucky

Maryland

Massachusetts

Michigan

Minnesota

Missouri

Montana

Nebraska

New Hampshire

New Mexico

Oklahoma

Oregon

Pennsylvania

Rhode Island

South Carolina

Utah

Vermont

Washington

West Virginia

Wyoming

The federal agency is imposing
more difficult standards for acceptable identification documents. According
to the DHS, the only documents that could be accepted by the states to
issue these new identity cards would be: valid unexpired U.S. passport
or the proposed passport card under the Western Hemisphere Travel Initiative;
certified copy of a birth certificate; consular report of birth abroad;
unexpired permanent resident card; unexpired employment authorization document;
unexpired foreign passport with valid U.S. visa affixed; U.S. certificate
of citizenship; U.S. certificate of naturalization; or REAL ID driver’s
license or identification card.[4]

DHS
is also proposing to require the states to change their procedures to verify
these identification documents. The states must contact the issuing agency
to verify the “issuance, validity, and completeness of each document required
to be presented.”[5] The
federal agency requires that state DMV workers must physically inspect
the identification document and verify the data in the document “with an
authoritative or reference database.”[6]

The DHS proposal would mandate
minimum data elements required on the face of and in the machine readable
zone of the card. The following amount of information, at a minimum, must
be on the REAL ID card. (1) full legal name; (2) date of birth; (3) gender;
(4) driver's license or identification card number; (5) digital photograph
of the person; (6) address of principle residence; and (7) signature.[7]

The federal agency would
also require changes to the design of licenses and identification cards.
The card must include “Physical security features designed to prevent tampering,
counterfeiting, or duplication of the document for fraudulent purpose”
and “common [machine-readable technology], with defined minimum data elements.”[8] DHS
is also reviewing card design standardization, “whether uniform design/color
should be implemented nationwide for non-REAL ID driver’s licenses and
identification cards,” so that non-REAL ID cards will be easy to spot.[9]

DHS is also expanding schedules
and procedures for retention and distribution of identification documents
and other personal data. Under the proposed regulations, DHS imposes new
requirements on state motor vehicle agencies so that the federal government
can link together their databases to distribute license and cardholders’
personal data.[10] The states are compelled to begin
maintaining paper copies or digital images of important identity documents,
such as birth certificates or naturalized citizenship papers, for seven
to 10 years.[11] DHS is mandating the increase of both
the type of documents that need to be retained and the length of data retention.

But
on security and privacy standards for the card, state motor vehicle facilities,
and the personal data and documents collected in state motor vehicle databases,
DHS shows little interest and proposes that states prepare a “comprehensive
security plan” for REAL ID implementation.[12] The vague plan proposes
that states would include 1) an “approach to conducting background checks
of certain federal employees”; 2) an approach to ensuring the “physical
security of the locations where driver’s licenses and identification cards
are produced”; 3) an approach to ensuring the “security of document materials
and papers from which driver’s licenses and identification cards are produced”;
4) a description of the “security features incorporated into the driver’s
licenses and identification cards”; and 5) if the state decides to use
biometrics as a part of its security plan, the state must “describe this
use in its security plan and present the technology standard the State
intends to use to DHS for approval.”[13]

DHS
would establish new requirements that states conduct background checks
on “certain employees working in State DMVs who have the ability to affect
the identity information that appears on the driver’s license or identification
card, who have access to the production process, or who are involved in
the manufacture of the driver’s licenses and identification cards.”[14] DHS would mandate that these employees
must submit fingerprints and undergo financial and criminal background
checks, and lists the disqualifying offenses.[15] DHS
also sets out standards for “security of document materials and papers
from which driver’s licenses and identification cards are produced,” such
as the “use of offset lithography in place of dye sublimation printing,”[16] The agency does not list minimum requirements for
states to meet in their plans to ensure “physical security of the locations
where driver’s licenses and identification cards are produced.”

The
Department of Homeland Security will require states to include information
“as to how the State will protect the privacy of the data collected, used,
and maintained in connection with REAL ID, including all the source documents.”[17] However, DHS does not require states to meet minimum
standards to safeguard the privacy of individuals’ data.

Source:
California State Government

On
security and privacy standards, DHS shows little interest
and proposes that states prepare a “comprehensive
security plan” for REAL ID implementation.

As for the mandate that
“security features incorporated into the driver’s licenses and identification
cards,” the agency is “lean[ing] toward” approving a two-dimensional bar
code with encryption as the “common machine readable technology” standard,
but it does not require secure encryption.[18] Though Homeland Security lays out
the privacy and security problems associated with creating an unencrypted
machine readable zone on the license, it does not require encryption because
there are concerns about “operational complexity.”[19]

Homeland Security may also
require the use of radio frequency identification (RFID) technology in
the cards as part of the “common machine readable technology,” which means
the sensitive data would be transmitted wirelessly and vulnerable to interception
by third parties.[20] The agency is considering “vicinity
read” or “long range” RFID tags even though the longer distance increases
the risks of security and privacy problems associated with the wireless
technology: clandestine tracking, loss of control of data by cardholder,
and interception of data by unauthorized individuals.

ASSESSMENT

The mandates that DHS has
imposed upon the states are questionable. The federal agency imposes more
difficult standards for acceptable identification documents that could
limit the ability of individuals to get a state drivers license. However,
there are questions as to whether some citizens could produce these documents – such
as victims of natural disasters or elderly individuals. The federal agency
will require the states to create an exceptions process for such individuals,
but does not set standards for eligibility, length of process, cost of
process or any other piece of the exceptions process.[21]

DHS
compels the states to complete data verification procedures that the federal
government itself is not capable of following. The federal agency dictates
that the states must verify the “issuance, validity, and completeness of
each document required to be presented.” [22] States must verify the data in identification requirements
“with an authoritative or reference database.”[23] However,
it is questionable whether certain databases even exist. In the draft regulations,
DHS concedes that it still needs to “ensure that the reference databases
meet the standards for data quality, reliability, integrity, and completeness
required to support REAL ID data verification.”[24] In fact, DHS admits some of these
reference databases “are still under development and need investment of
resources.”[25] Even
though DHS mandates state verification of identification documents through
these reference databases, the federal government has not yet created reliable
systems for the states to use.

The federal agency requires
changes to the design of state licenses and identification cards. The card
must include “Physical security features designed to prevent tampering,
counterfeiting, or duplication of the document for fraudulent purpose”
and “common [machine-readable technology], with defined minimum data elements.”[26] The
federal agency will require the use of a two-dimensional bar code, but
will not require the use of encryption. The Department of Homeland Security’s
own Privacy Office has urged the use of encryption in REAL ID cards. In
its Privacy Impact Assessment of the draft regulations, the Privacy Office
supported encryption “because 2D bar code readers are extremely common,
the data could be captured from the driver’s licenses and identification
cards and accessed by unauthorized third parties by simply reading the
2D bar code on the credential” if the data is left unencrypted.[27] DHS
says that, “while cognizant of this problem, DHS believes that it would
be outside its authority to address this issue within this rulemaking.”[28] Imposing a requirement
for the states to use unencrypted machine readable technology renders the
cardholder unable to control who receives her data.

The agency is considering
using RFID technology in the REAL ID cards even though it has just abandoned
a plan to include long-range RFID chips in border identification documents
because the pilot test was a failure. In 2005, the Department of Homeland
Security began testing RFID-enabled I-94 forms in its United States Visitor
and Immigrant Status Indicator Technology (US-VISIT) program to track the
entry and exit of visitors.[29] The RFID-enabled forms stored a unique
identification number, which is linked to data files containing foreign
visitor’s biographic information, including name, date of birth, country
of citizenship, passport number and country of issuance, complete U.S.
destination address, and digital fingerscans.[30] EPIC warned that this flawed proposal
would endanger personal privacy and security, citing the plan’s lack of
basic privacy and security safeguards. In October 2005 comments to the
Department of Homeland Security, EPIC explained use of the wireless technology
meant anytime a person carried his I-94 RFID-enabled form, unauthorized
individuals could access his unique identification number, and thus the
biographic information linked to that number.[31]

In a July 2006 report, the
Department of Homeland Security’s Inspector General echoed EPIC’s warnings.
His report found “security vulnerabilities that could be exploited to gain
unauthorized or undetected access to sensitive data” associated with people
who carried the RFID-enabled I-94 forms.[32] A report released by the Government
Accountability Office in late January identified numerous performance and
reliability issues in Department of Homeland Security’s 15-month test.[33] The
many problems with the RFID-enabled identification system led Homeland
Security Secretary Michael Chertoff to admit in Congressional testimony
on February 9th that the pilot program had failed, stating “yes, we're
abandoning it. That's not going to be a solution” for border security.[34]

Homeland Security’s failure
with the US-VISIT pilot test is just one of several instances where the
agency has stumbled with identification systems. The Transportation Security
Administration said recently that Secure Flight, a federal passenger screening
program, would be delayed until 2010, at least five years behind schedule.
Secure Flight was suspended a year ago after two government reports detailed
security and privacy problems.[35] One report found 144 security vulnerabilities.[36] About $140 million has been spent
on the program, and the TSA is seeking another $80 million for proposed
changes.[37] Homeland
Security also has problems with its bloated watch lists. More than 30,000
people who are not terrorists have asked the Transportation Security Administration
to remove their names from the lists since September 11, 2001.[38] In
January, the head of TSA said that the watch lists were being reviewed,
and he expected to cut in half the watch lists (estimated to contain about
325,000 names).[39]

DHS may compel card design
standardization, “whether uniform design/color should be implemented nationwide
for non-REAL ID driver’s licenses and identification cards,” so that non-REAL
ID cards will be easy to spot.[40] This combined with the mandate to
“provide electronic access to all other States to information contained
in the motor vehicle database of the State” would create a national database
of sensitive personal information that would be a tempting target for identity
thieves or other criminals hoping to subvert the national ID system.[41]

The federal agency dictates
the expansion of schedules and procedures for retention and distribution
of identification documents and other personal data. It creates a massive
database with the personal data and copies of identification documents
of 245 million state license and identification cardholders nationwide.
Yet DHS has chosen not to mandate minimum privacy standards for either
the database or the card itself.

DHS sets out standards for
background checks on employees and for the type of paper the identification
cards will use, yet it does not mandate any minimum standards of security
for the national database of sensitive personal information. The creation
of this massive database comes at a time when security breaches and identity
theft are on the rise. State DMVs already are the victims of inside and
outside attackers. For the seventh year in a row, identity theft is the
No. 1 concern of U.S. consumers, according to the Federal Trade Commission’s
annual report.[42] Over
104 million data records of U.S. residents have been exposed due to security
breaches since January 2005, according to a report from the Privacy Rights
Clearinghouse.[43]

OTHER RISKS

In a recent analysis of
the REAL ID Act, EPIC Executive Director Marc Rotenberg explained that
“[s]ystems of identification remain central to many forms of security.
But designing secure systems that do not introduce new risks is proving
more difficult than many policymakers had imagined.”[44] The theory that the REAL ID Act will
prevent terrorism is predicated on the belief that, “if we know who you
are, and if we have enough information about you, we can somehow predict
whether you’re likely to be an evildoer,” explained Bruce Schneier, security
expert and member of the EPIC Board of Directors.[45] This is impossible, because you cannot predict intent
based on identification, Schneier said.[46] Upon the release of
the draft regulations, Schneier said, “The REAL ID regulations do not solve
problems of the national ID card, which will fail when used by someone
intent on subverting that system. Evildoers will be able steal the identity
-- and profile -- of an honest person, doing an end-run around the REAL
ID system.”[47]

Source:
Department of Homeland Security

Before
the REAL ID Act’s passage in 2005, the Congressional Budget Office
estimated its cost to be around $100 million. In September,
the National Conference of State Legislatures released a report
estimating the cost to be $11 billion over the first five years.
Now, the Department of Homeland Security has admitted that REAL
ID will cost states and individuals from $17.2 billion to $23.1
billion over ten years.

When it created the Department
of Homeland Security, Congress made clear in the enabling legislation that
the agency could not create a national ID system.[48] In September 2004, then-Department of Homeland Security
Secretary Tom Ridge reiterated, “[t]he legislation that created the Department
of Homeland Security was very specific on the question of a national ID
card. They said there will be no national ID card.”[49] The REAL ID Act creates a de facto national ID card.

The requirement for non-REAL
ID driver’s license or ID card to have explicit “invalid for federal purposes”
designations turns this “voluntary” card into a mandatory national ID card.
Anyone with a different license or ID card would be instantly suspicious.
It will be easy for insurance companies, credit card companies, even video
stores, to demand a REAL ID driver’s license or ID card in order to receive
services. Significant delay, complication and possibly harassment or discrimination
would fall upon those without a REAL ID card.

Third parties such as insurance
companies are not the only ones who will try to broaden the use of the
REAL ID card. State licenses and identification cards must meet standards
set out in the regulations to be accepted for federal use. Such federal
purposes include entering buildings, boarding commercial aircraft, entering
nuclear power plants, and “any other purposes that the Secretary shall
determine.” The Department of Homeland Security, via the draft regulations
and Homeland Security Secretary Michael Chertoff, discusses expanding the
use of the national identification card. The federal agency seeks comments
on “how DHS could expand [the card’s official purposes] to other federal
activities.”[50] In a speech last month, Secretary Chertoff said the
REAL ID Act licenses might “do double-duty or triple-duty.”[51] These REAL ID cards would “be used for a whole host
of other purposes where you now have to carry different identification.”[52] Security expert Bruce Schneier,
EPIC and others have explained that it decreases security to have one ID
card for many purposes, as there will be a substantial amount of harm when
the card is compromised.[53] Using a national ID card would be as if you used one
key to open your house, your car, your safe deposit box, your office, and
more. “The problem is that security doesn’t come through identification;
security comes through measures -- airport screening, walls and door locks
-- that work without relying on identification,” therefore a national identification
card would not increase national security Schneier said.[54]

A recent case illustrates
Schneier’s point. According to court documents, earlier this week in Florida,
two men entered restricted areas, bypassed security screeners and carried
a duffel bag containing 14 guns and drugs onto a commercial plane,[55] They
avoided detection, because they are airline baggage handlers who used their
uniforms and legally issued identification cards.[56] Both
men had passed federal background checks before they were hired, according
to a spokesman for Comair, the airline that employed the men.[57] The
men were only investigated and caught after receiving an anonymous tip.[58] If
the airport had identification-neutral security systems, such as requiring
all fliers go through metal detectors, then the men could not have walked
past them. But the identification-based security – allowing some
fliers to skip screening because they are presumed to have no evil intent – failed,
and the men transported weapons and contraband aboard a commercial flight.

CONCLUSION

The estimated cost of REAL
ID implementation has spiraled. Before the Act’s passage in 2005, the Congressional
Budget Office estimated its cost to be around $100 million.[59] In
September, the National Conference of State Legislatures released a report
estimating the cost to be $11 billion over the first five years.[60] Now, the Department
of Homeland Security has admitted that REAL ID will cost states and individuals
from $17.2 billion to $23.1 billion over ten years.[61] Congress
has appropriated only $40 million for REAL ID implementation. The Department
of Homeland Security now says that a state can use up to 20% of its Homeland
Security Grant Program funding for REAL ID implementation, which total
about $100 million for 2007.[62] Implementation costs for the state
of California alone would be about $500 million.[63] Diverting
grant money to REAL ID means that funding originally budgeted by the states
for other homeland security projects, including training and equipment
for rescue and first responder personnel. Even if the states received $100
million per year for 10 years, that would still amount to only $1.04 billion
in federal funds, a fraction of the $17.2 billion to $23.1 billion price
tag. The rest of the cost would be borne by states and their residents.

The REAL ID Act was appended
to a bill providing tsunami relief and military appropriations, and passed
with little debate and no hearings. REAL ID proponents state that the program
implements recommendations from the 9/11 Commission. However, REAL ID repealed
provisions in a 2004 law that created a negotiated rulemaking process among
the states, federal agencies, and concerned parties to implement the Commission’s
recommendations.[64] The
Intelligence Reform and Terrorism Prevention Act of 2004, which contained “carefully
crafted language -- bipartisan language -- to establish standards for States
issuing driver’s
licenses,” Sen. Richard Durbin said at the time of REAL ID’s passage.[65] In
response to the draft regulations, Sen. Patrick Leahy said, “It is ironic
that we probably would have stronger drivers’ licenses today if the original
shared rulemaking procedures that Congress agreed to in 2004 had been allowed
to move forward.”[66] Legislation
to repeal REAL ID has been introduced in the House and Senate.[67] Maine and Idaho have
passed resolutions rejecting implementation of REAL ID, and 25 other states
are debating similar legislation.

DHS is imposing stringent,
difficult and, in the case of document verification, impossible requirements
upon the states and individual cardholders. The draft regulations are open
for comment until May 8, 2007. To take action and talk to Congress about
this ill-conceived identification scheme, visit the Electronic Frontier
Foundation's Take
Action page.

[4]Id. at 34-35; for a discussion of why
the Western Hemisphere Travel Initiative’s proposed passport card creates
an increased security risk, see EPIC, Spotlight on Surveillance, Homeland
Security PASS Card: Leave Home Without It (Aug.
2006), http://www.epic.org/privacy/surveillance/spotlight/0806/.

[31] EPIC, Comments on Docket No. DHS-2005-0011:
Notice With Request For Comments: United States Visitor and Immigrant
Status Indicator Technology Notice on Automatic Identification of Certain
Nonimmigrants Exiting the United States at Select Land Border Ports-of-Entry (Dec. 8, 2005), available at http://www.epic.org/privacy/us-visit/100305_rfid.pdf.